feat: Cease using Trivy in the SDLC Workflow

A compromise of the Trivy build was handled imprefectly, leading to a
second compromise and severe security impact on its users.  Trust in the
tool will need to be regained before we will use it in our workflows.

Author: boite

README.md

@@ -98,7 +98,7 @@ your repository.
 | github<br>features<br>squash_merge `boolean` |true| Allow squash-merging pull requests.|
 | github<br>features<br>merge_commit `boolean` |true| Allow merging pull requests with merge commit.|
 | github<br>features<br>rebase_merge `boolean` |true| Allow rebase-merging pull requests.|
-| github<br>features<br>sdlc_workflows `boolean` |false| **EXPERIMENTAL** Software Development Lifecycle Workflows. Property will likely be removed in the future, and enabled by default, when workflows have been stabilized.|
+| github<br>features<br>sdlc_workflows `boolean` |false| **EXPERIMENTAL** Software Development Lifecycle Workflows: release and cleanup. Security scanning (trivy) has been removed due to supply chain compromise.|
 | github<br>features<br>wiki `boolean` |false| Enable Wiki tab.|
 | github<br>features<br>issues `boolean` |false| Enable issues tab.|
 | github<br>features<br>projects `boolean` |false| Enable projects tab.|

docs/partials/readme.configuration.md

@@ -25,7 +25,7 @@
 | github<br>features<br>squash_merge `boolean` |true| Allow squash-merging pull requests.|
 | github<br>features<br>merge_commit `boolean` |true| Allow merging pull requests with merge commit.|
 | github<br>features<br>rebase_merge `boolean` |true| Allow rebase-merging pull requests.|
-| github<br>features<br>sdlc_workflows `boolean` |false| **EXPERIMENTAL** Software Development Lifecycle Workflows. Property will likely be removed in the future, and enabled by default, when workflows have been stabilized.|
+| github<br>features<br>sdlc_workflows `boolean` |false| **EXPERIMENTAL** Software Development Lifecycle Workflows: release and cleanup. Security scanning (trivy) has been removed due to supply chain compromise.|
 | github<br>features<br>wiki `boolean` |false| Enable Wiki tab.|
 | github<br>features<br>issues `boolean` |false| Enable issues tab.|
 | github<br>features<br>projects `boolean` |false| Enable projects tab.|

repo.schema.yaml

@@ -176,8 +176,8 @@ properties:
 
           sdlc_workflows:
             description: >
-              **EXPERIMENTAL** Software Development Lifecycle Workflows. Property will likely be removed in
-              the future, and enabled by default, when workflows have been stabilized.
+              **EXPERIMENTAL** Software Development Lifecycle Workflows: release and cleanup.
+              Security scanning (trivy) has been removed due to supply chain compromise.
             type: boolean
             default: false
 

tasks/generate-files.yaml

@@ -23,6 +23,11 @@
     path: "{{ repo_path }}/.github/workflows"
     state: directory
 
+- name: Remove compromised 50-security workflow (trivy supply chain attack)
+  ansible.builtin.file:
+    path: "{{ repo_path }}/.github/workflows/50-security.yaml"
+    state: absent
+
 - name: Generate repo-ansible workflow
   ansible.builtin.template:
     src: ./templates/.github/workflows/auto-run-repo-ansible.yaml.j2

tasks/other-dev-generated-files.yaml

@@ -33,8 +33,6 @@
         workflow_group: "10"
       - target: 30-release-and-build.yaml
         workflow_group: "30"
-      - target: 50-security.yaml
-        workflow_group: "50"
       - target: 90-cleanup.yaml
         workflow_group: "90"